FFmpeg and Libav contain a flaw in the vc1_draw_sprites() function in libavcodec/vc1dec.c. With a specially crafted file, a context-dependent attacker can trigger use of uninitialized data, leading to an unspecified impact.